快速入门:使用 Azure CLI 创建专用终结点Quickstart: Create a Private Endpoint using Azure CLI

使用专用终结点安全连接到 Azure Web 应用以开始使用 Azure 专用链接。Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

在本快速入门中,你将创建 Azure Web 应用的专用终结点,并部署虚拟机以测试专用连接。In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

可以为不同类型的 Azure 服务(例如 Azure SQL 和 Azure 存储)创建专用终结点。Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.

必备条件Prerequisites

创建资源组Create a resource group

Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

使用 az group create 创建资源组:Create a resource group with az group create:

  • 命名为 CreatePrivateEndpointQS-rg。Named CreatePrivateEndpointQS-rg.
  • 在“chinaeast2”位置。In the chinaeast2 location.
az group create \
    --name CreatePrivateEndpointQS-rg \
    --location chinaeast2

创建虚拟网络和堡垒主机Create a virtual network and bastion host

在本部分中,你将创建虚拟网络、子网和堡垒主机。In this section, you'll create a virtual network, subnet, and bastion host.

堡垒主机将用于安全地连接到虚拟机,以测试专用终结点。The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

使用 az network vnet create 创建虚拟网络Create a virtual network with az network vnet create

  • 命名为“myVNet”。Named myVNet.
  • 地址前缀为 10.0.0.0/16。Address prefix of 10.0.0.0/16.
  • 子网命名为“myBackendSubnet”。Subnet named myBackendSubnet.
  • 子网前缀为 10.0.0.0/24。Subnet prefix of 10.0.0.0/24.
  • 在 CreatePrivateEndpointQS-rg 资源组中。In the CreatePrivateEndpointQS-rg resource group.
  • “chinaeast2”的位置。Location of chinaeast2.
az network vnet create \
    --resource-group CreatePrivateEndpointQS-rg\
    --location chinaeast2\
    --name myVNet \
    --address-prefixes 10.0.0.0/16 \
    --subnet-name myBackendSubnet \
    --subnet-prefixes 10.0.0.0/24

更新子网,以使用 az network vnet subnet update 禁用专用终结点的专用终结点网络策略:Update the subnet to disable private endpoint network policies for the private endpoint with az network vnet subnet update:

az network vnet subnet update \
    --name myBackendSubnet \
    --resource-group CreatePrivateEndpointQS-rg \
    --vnet-name myVNet \
    --disable-private-endpoint-network-policies true

使用 az network public-ip create 为堡垒主机创建公共 IP:Use az network public-ip create to create a public ip address for the bastion host:

  • 创建名为“myBastionIP”的标准区域冗余公共 IP 地址。Create a standard zone redundant public IP address named myBastionIP.
  • 在 CreatePrivateEndpointQS-rg 中。In CreatePrivateEndpointQS-rg.
az network public-ip create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myBastionIP \
    --sku Standard

使用 az network vnet subnet create 创建堡垒子网:Use az network vnet subnet create to create a bastion subnet:

  • 命名为 AzureBastionSubnet。Named AzureBastionSubnet.
  • 地址前缀为 10.0.1.0/24。Address prefix of 10.0.1.0/24.
  • 在虚拟网络“myVNet”中。In virtual network myVNet.
  • 在资源组 CreatePrivateEndpointQS-rg 中。In resource group CreatePrivateEndpointQS-rg.
az network vnet subnet create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name AzureBastionSubnet \
    --vnet-name myVNet \
    --address-prefixes 10.0.1.0/24

使用 az network bastion create 创建堡垒主机:Use az network bastion create to create a bastion host:

  • 命名为 myBastionHost。Named myBastionHost.
  • 在 CreatePrivateEndpointQS-rg 中。In CreatePrivateEndpointQS-rg.
  • 与公共 IP myBastionIP 相关联。Associated with public IP myBastionIP.
  • 与虚拟网络 myVNet 相关联。Associated with virtual network myVNet.
  • 在“chinaeast2”位置。In chinaeast2 location.
az network bastion create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myBastionHost \
    --public-ip-address myBastionIP \
    --vnet-name myVNet \
    --location chinaeast2

部署 Azure Bastion 主机需要几分钟时间。It can take a few minutes for the Azure Bastion host to deploy.

创建测试虚拟机Create test virtual machine

在本部分中,你将创建将用来测试专用终结点的虚拟机。In this section, you'll create a virtual machine that will be used to test the private endpoint.

使用  az vm create 创建 VM。Create a VM with az vm create. 出现提示时,请提供要用作 VM 凭据的密码:When prompted, provide a password to be used as the credentials for the VM:

  • 命名为 myVM。Named myVM.
  • 在 CreatePrivateEndpointQS-rg 中。In CreatePrivateEndpointQS-rg.
  • 在网络 myVNet 中。In network myVNet.
  • 在子网“myBackendSubnet”中。In subnet myBackendSubnet.
  • 服务器映像 Win2019Datacenter。Server image Win2019Datacenter.
az vm create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name myVM \
    --image Win2019Datacenter \
    --public-ip-address "" \
    --vnet-name myVNet \
    --subnet myBackendSubnet \
    --admin-username azureuser \
    --admin-password <replace_with_your_password>

备注

Azure 为未获得公共 IP 地址或位于内部基本 Azure 负载均衡器后端池中的 Azure 虚拟机提供临时 IP。Azure provides an ephemeral IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. 临时 IP 机制可提供无法配置的出站 IP 地址。The ephemeral IP mechanism provides an outbound IP address that isn't configurable.

如果将公共 IP 地址分配给某个虚拟机或将该虚拟机置入具有或不具有出站规则的标准负载均衡器的后端池中时,将禁用其原有的临时 IP。The ephemeral IP is disabled when a public IP address is assigned to the virtual machine or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. 如果向虚拟机的子网分配 Azure 虚拟网络 NAT 网关资源,也会禁用其临时 IP。If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the ephemeral IP is disabled.

有关 Azure 中出站连接的详细信息,请参阅为出站连接使用源网络地址转换 (SNAT)For more information on outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

创建专用终结点Create private endpoint

在本部分中,你将创建专用终结点。In this section, you'll create the private endpoint.

使用 az webapp list 将之前创建的 Web 应用的资源 ID 放到 shell 变量中。Use az webapp list to place the resource ID of the Web app you previously created into a shell variable.

使用 az network private-endpoint create 创建终结点和连接:Use az network private-endpoint create to create the endpoint and connection:

  • 命名为 myPrivateEndpoint。Named myPrivateEndpoint.
  • 在资源组 CreatePrivateEndpointQS-rg 中。In resource group CreatePrivateEndpointQS-rg.
  • 在虚拟网络“myVNet”中。In virtual network myVNet.
  • 在子网“myBackendSubnet”中。In subnet myBackendSubnet.
  • 名为 myConnection 的连接。Connection named myConnection.
  • 你的 Webapp <webapp-resource-group-name>。Your webapp <webapp-resource-group-name>.
id=$(az webapp list \
    --resource-group <webapp-resource-group-name> \
    --query '[].[id]' \
    --output tsv)

az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group CreatePrivateEndpointQS-rg \
    --vnet-name myVNet --subnet myBackendSubnet \
    --private-connection-resource-id $id \
    --group-id sites \
    --connection-name myConnection  

配置专用 DNS 区域Configure the private DNS zone

在本部分中,你将使用 az network private-dns zone create 创建和配置专用 DNS 区域。In this section, you'll create and configure the private DNS zone using az network private-dns zone create.

你将使用 az network private-dns link vnet create 创建指向 dns 区域的虚拟网络链接。You'll use az network private-dns link vnet create to create the virtual network link to the dns zone.

你将使用 az network private-endpoint dns-zone-group create 创建 dns 区域组。You'll create a dns zone group with az network private-endpoint dns-zone-group create.

  • 名为 privatelink.chinacloudsites.cn 的区域Zone named privatelink.chinacloudsites.cn
  • 在虚拟网络“myVNet”中。In virtual network myVNet.
  • 在资源组 CreatePrivateEndpointQS-rg 中。In resource group CreatePrivateEndpointQS-rg.
  • 名为 myDNSLink 的 DNS 链接。DNS link named myDNSLink.
  • 与 myPrivateEndpoint 相关联。Associated with myPrivateEndpoint.
  • 名为 MyZoneGroup 的区域组。Zone group named MyZoneGroup.
az network private-dns zone create \
    --resource-group CreatePrivateEndpointQS-rg \
    --name "privatelink.chinacloudsites.cn"

az network private-dns link vnet create \
    --resource-group CreatePrivateEndpointQS-rg \
    --zone-name "privatelink.chinacloudsites.cn" \
    --name MyDNSLink \
    --virtual-network myVNet \
    --registration-enabled false

az network private-endpoint dns-zone-group create \
   --resource-group CreatePrivateEndpointQS-rg \
   --endpoint-name myPrivateEndpoint \
   --name MyZoneGroup \
   --private-dns-zone "privatelink.chinacloudsites.cn" \
   --zone-name webapp

测试到专用终结点的连接Test connectivity to private endpoint

本部分将使用在上一步骤中创建的虚拟机通过专用终结点连接到 SQL 服务器。In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.

  1. 登录到 Azure 门户Sign in to the Azure portal

  2. 在左侧导航窗格中选择“资源组”。Select Resource groups in the left-hand navigation pane.

  3. 选择“CreatePrivateEndpointQS-rg”。Select CreatePrivateEndpointQS-rg.

  4. 选择“myVM”。Select myVM.

  5. myVM 的“概述”页上,选择“连接”,然后选择“堡垒”。On the overview page for myVM, select Connect then Bastion.

  6. 选择蓝色的“使用堡垒”按钮。Select the blue Use Bastion button.

  7. 输入在创建虚拟机期间输入的用户名和密码。Enter the username and password that you entered during the virtual machine creation.

  8. 连接后,在服务器上打开 Windows PowerShell。Open Windows PowerShell on the server after you connect.

  9. 输入 nslookup <your-webapp-name>.chinacloudsites.cnEnter nslookup <your-webapp-name>.chinacloudsites.cn. 将 <your-webapp-name> 替换为在之前的步骤中创建的 Web 应用的名称。Replace <your-webapp-name> with the name of the web app you created in the previous steps. 你将收到类似于以下所示内容的消息:You'll receive a message similar to what is displayed below:

    Server:  UnKnown
    Address:  168.63.129.16
    
    Non-authoritative answer:
    Name:    mywebapp8675.privatelink.chinacloudsites.cn
    Address:  10.0.0.5
    Aliases:  mywebapp8675.chinacloudsites.cn
    

    将为 Web 应用名称返回专用 IP 地址 10.0.0.5。A private IP address of 10.0.0.5 is returned for the web app name. 此地址位于你之前创建的虚拟网络的子网中。This address is in the subnet of the virtual network you created previously.

  10. 在到 myVM 的堡垒连接中,打开 Internet Explorer。In the bastion connection to myVM, open Internet Explorer.

  11. 输入 Web 应用的 URL: https://<your-webapp-name>.chinacloudsites.cn。Enter the url of your web app, https://<your-webapp-name>.chinacloudsites.cn.

  12. 如果你的应用程序尚未部署,你将收到默认 Web 应用页:You'll receive the default web app page if your application hasn't been deployed:

    默认 Web 应用页面。

  13. 关闭到 myVM 的连接。Close the connection to myVM.

清理资源Clean up resources

用完专用终结点和 VM 后,请使用 az group delete 删除资源组和组内所有资源:When you're done using the private endpoint and the VM, use az group delete to remove the resource group and all the resources it has:

az group delete \
    --name CreatePrivateEndpointQS-rg

后续步骤Next steps

在本快速入门中,我们创建了:In this quickstart, you created a:

  • 虚拟网络和堡垒主机。Virtual network and bastion host.
  • 虚拟机。Virtual machine.
  • Azure Web 应用的专用终结点。Private endpoint for an Azure Web App.

你使用虚拟机通过专用终结点安全测试了到 Web 应用的连接。You used the virtual machine to test connectivity securely to the web app across the private endpoint.

有关支持专用终结点的服务的详细信息,请参阅:For more information on the services that support a private endpoint, see: